The Firebase Blog

App Check comes to Google Identity for iOS!

App Check expands beyond Firebase Services
February 20, 2024

Available in Public Preview February 14, 2024

Since we launched Firebase App Check to general availability in 2022, you’ve been able to protect your Firebase and custom APIs with App Check. App Check helps protect your API surface by verifying the authenticity of your app or your user’s device. App Check currently supports a few Firebase products from API abuse, such as Cloud Firestore, Storage and Authentication.

We are pleased to announce that App Check is now expanding its protections outside of Firebase to Google Identity for iOS, as a preview feature.

Not just for Firebase

Even if you do not currently use Firebase, this feature is for you, too!

An OAuth client represents your app’s brand and identity, and is presented to your users when users interact with your app. Your app can request permissions from your users through your OAuth clients. App Check helps prevent unwanted interactions with your iOS OAuth clients by using Apple’s App Attest service to establish your app’s integrity. When you enforce this protection, requests coming from client iOS devices performed using your OAuth client are rejected if they are not accompanied by a valid App Check token.

What’s the difference between App Check’s protections for Google Identity for iOS and for Firebase Auth?

The former protects specific end user interactions with your iOS app through your app’s OAuth client, whereas the latter protects certain interactions with Firebase Auth after logging in with the sign-in provider. Additionally, the App Check protection for Firebase Auth extends to other identity providers—not just Google Identity—such as changing the password on an email/password account or updating the user account information.

These two protections can be enabled separately or together, depending on your application. For example, if you currently use Google Sign-In for iOS through Firebase Authentication with Identity Platform, but you also have additional custom use cases for the same iOS OAuth client, you can now take advantage of App Check to help protect both the Firebase Auth use case and your additional use cases from abuse.

What else is different?

With Google Identity for iOS, you now have the ability to turn App Check enforcement on or off at the individual OAuth client level! This gives you the flexibility to onboard your iOS OAuth clients onto App Check one by one.

Google Identity for iOS in the Firebase App Check Console
Google Identity for iOS in the Firebase App Check Console

For security reasons, we also impose more restrictions than usual here, such as only allowing short-lived tokens and only allowing the App Attest attestation provider (the Debug provider is still allowed during development and testing).

Currently, App Check’s protection for Google Identity is available in iOS only (iOS 14+).

What do I need to do to get started?

Before you start writing code, you need to ensure that you have Xcode 12.5 or newer. We also recommend that you use the Google Sign-in library. From this point, you can add your iOS app to the Firebase project using the Project settings page and then register your app in the App Check section of the Firebase console with the App Attest provider. From there, make sure that all of your OAuth clients are linked to an app in the Firebase console so protection will be granted to them.

For more details, check out our documentation.

App Changes

Once you have the above pre-requisites met, you can then add the App Attest capability to your application and set the App Attest environment to production. From this point, you modify your app delegate’s didFinishLaunchingWithOptions method to call GIDSignIn.sharedInstance.configure(completion:) method which will configure App Check for use in a production scenario.

project.swift 
import SwiftUI
import GoogleSignIn

class AppDelegate: NSObject, UIApplicationDelegate {
  func application(
    _ application: UIApplication,
    didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil
  ) -> Bool {
    #if targetEnvironment(simulator)
    // Configure for debugging.
    // See: https://developers.google.com/identity/sign-in/ios/appcheck/debug-provider
    #else
    GIDSignIn.sharedInstance.configure { error in
      if let error {
        print("Error configuring `GIDSignIn` for Firebase App Check: (error)")
      }
    }
    #endif

    return true
  }
}

@main
struct YourAppNameApp: App {
  @UIApplicationDelegateAdaptor(AppDelegate.self) var appDelegate

  // ...
}
Copied!

What’s next

If you like the additional security that App Check provides for Google Identity for iOS, and would like to know what else you could do with App Check, learn more about App Check in the video below. You can also check out the App Check documentation for further guidance on protecting more endpoints.